Using win98, when I startup I get multiple illegal operation messages leading to the crashing of the computer and having to switch off and on. The messages relate to, to name a few, spool32, systray, stimon, thguard etc etc. Basically I cant do anything on the computer at the moment! I am aware that I am infected with the Bube virus and am currently trying to get rid of it. Is it likely that this recent spate of illegal operation errors is due to that virus? Is there any way to stop it without removing the virus? I am having difficulty removing the Bube!! Any help greatly appreciated guys and girls.

[Reply or follow-up to this message]

A search shows that several people think that Kaspersky Antivirus is the answer to the Bube. One said McAfee will not remove it. Secunia linked me to Sophos antivirus but that was a generic page. Some said only Kaspersky can do it.

Kaspersky has a 30 day free trial period but it is 26Mb and 5mb for the update, which will certainly be needed since Bube is new. These are links to answers in other forums:

forums.maddoktor2.com
forums.techguy.org
www.spywarewarrior.com


On Friday, May 13, 2005 at 5:12 am, Weeian wrote:
>Using win98, when I startup I get multiple illegal operation messages leading to
>the crashing of the computer and having to switch off and on. The messages relate
>to, to name a few, spool32, systray, stimon, thguard etc etc. Basically I cant do
>anything on the computer at the moment! I am aware that I am infected with the Bube
>virus and am currently trying to get rid of it. Is it likely that this recent spate
>of illegal operation errors is due to that virus? Is there any way to stop it without
>removing the virus? I am having difficulty removing the Bube!! Any help greatly appreciated
>guys and girls.
>

[Reply or follow-up to this message]

If you can't do anything, you sure can't run a scan. Initially, Kapersky was the 
only AV that could remove Bube, but that may have changed. Can you boot into safe 
mode? Startup programs don't load in Safe. Those illegal operation messages are related 
to your startup applications, the way it looks.

I would try restoring a registry backup, first, since that's easiest, quickest thing 
to try. That's assuming this happened in the last few days. Windows only creates 
5 registry backups by default. Reboot and hold the CTRL key down, until you get the 
boot menu. 

Choose Command prompt only. At the C:\> type: scanreg /restore Press enter. 
Choose a date prior to this problem. A good backup will have the word "Started" before 
it. Then hit Enter. You should get a message that Windows successfully restored the 
registry. Then CTRL_ALT_DEL and see if you get back into Windows. Let us know how 
things go. 

P.S. If that doesn't do it, you should be able to choose 'Safe mode with networking 
support' (or similar) from the boot menu. Then go online to run a virus scan. 
CA eTrust 'Scan for Virus'


Dealing with Unwanted Spyware and Parasites

Sorry Carol, I can get onto the machine eventually so I wil be able to run a scan. HJT and post results here for help? Regards Kaspersky the problem I have is that the link to the free trial version on their site is not the free trial version!! I have DL's it several times although not through my own machine as I cant currently DL presumably due to the bube, I have DL's Kaspersky to a datastick and put it on my computer that way but when I start the program it prompts me to 'purchase a registry key'?? Any thoughts?? I have gone back to a previous registry but the startup illegal operation problem keeps coming back.

[Reply or follow-up to this message]

I have ran a HJT scan, can anyone look over it for me and confirm what I have (virus wise) if anything and what I should delete??? Is there anything on here that might explain my many illegal operation messages on startup??? HELP!!!! Logfile of HijackThis v1.99.1 Scan saved at 20:00:41, on 17/05/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\ACCSTAT.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\PTSNOOP.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\INTERNET\ICC\ICC2000.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ F1 - win.ini: load=C:\WINDOWS\PTSNOOP.EXE O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE" O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ICC2000] C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

[Reply or follow-up to this message]

Hi there, 

Yes, it's likely the infection is at causing the illegal operation messages. You 
didn't say, whether you ran the online virus scan I suggested? If not, please do 
so after fixing these entries and deleting the infected files. Please follow these 
instructions carefully.

You'll need to make sure hidden files are visible: 
How to Show System Files 

Boot into Safe mode to fix these entries: 
Starting your computer in Safe mode

You need to make sure Trojan Hunter, and any other prevention programs, aren't running 
to hinder removal. You could disable them temporarily by removing them from startup. 
Once in Safe mode, close ALL open windows. Run HJT, select these entries. Choose 
Fix checked. Close HJT. 

C:\WINDOWS\PTSNOOP.EXE
F1 - win.ini: load=C:\WINDOWS\PTSNOOP.EXE
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll 
(file missing)
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} 
- C:\WINDOWS\web\related.htm

Locate and delete these files:
C:\WINDOWS\PTSNOOP.EXE <--
C:\WINDOWS\isrvs\desktop.exe <--
C:\WINDOWS\isrvs\ffisearch.exe <--

Run a search for this one, using Find - Files or folders. The log shows no path to 
it. If found, delete it. 

istsvc.exe 

Important: Before rebooting, clear your browser cache. For IE: Go into the Control 
Panel - Internet Options - General tab. Delete temporary internet files - choose 
'delete all Offline content'. Settings - set the size of your TIF folder between 
5 - 10 MB. Empty the C:\Windows\temp folder and C:\temp folder, if you have one. 
Empty Recycle Bin. Reboot normally. Then run that online virus scan and let me know 
the results. 

Install SpywareBlaster to help prevent future malware infections. (It's not a cleaner). 
Be sure to download updates and enable all protection. It doesn't need to be running 
to protect your system. Check for updates frequently: 
JavaCool Software

It's strongly advised to use an alternative browser as your main browser. FireFox 
(most popular) or Opera are a couple good choices. IE has too many security issues 
and is very vulnerable to malware infections and hijackings. Hijackings are very 
rare, with other browsers. If you stay with IE, I suggest IE-Spyads, also. For other 
tips and suggestions, check this page below....

Dealing with Unwanted Spyware and Parasites

Carol, Thanks very much for your time and assistance on this problem. I must confess I didn't run the link you gave but will do so tonight after I have carried out the other instructions. I ran a program last night, registry mechanic I think it was, and it threw up like in excess of 500 problems with my registry! Unfortunately the free version of the program only removed about 100 odds of them! I also downloaded Spybot Search and Destroy although havn't ran it yet to see what it can do. I have resorted to a previous registry using the scanreg/restore method but the illegal operation messages are still coming on startup. I can get onto the computer still although sometimes I have to startup like 5 or 6 times before resorting to a previous registry just to get on!!! Perhaps you can answer a few quick questions for me: Does my HJT log show that I still have the Bube virus? If I start using Firefox and delete IE from my system will the virus go with IE? I was given this computer some time ago by a relative and really had no idea about windows updates. Someone else advised that I run my updates ASAP. So I went to the updates and there were about 45 of them! Im using dial up so no doubt you can appreciate that this will take a very very long time in downloading!!! I assume that I should continue with this anyway?? Again Carol, cheers for your help.

[Reply or follow-up to this message]

Sorry Carol, forgot to mention Kaspersky's program, I had said previously that I cant seem to get a trial version of it. I have downloaded the program a few times and every time when I try to start it up I am prompted to 'purchase' a registry key for it. What the hell is a registry key? I assume that there is a fee involved as the word purchase is used? Do you know if there is a free trial version and if so do you know where I can find a link to it? Is the free trial a hoax???

[Reply or follow-up to this message]

Carol,

Have donw everything that you suggested, one 'small' problem, I cant run the scan. 
I started to run it in normal mode, it had detected about 10 instances of viruses 
at different sites/places but then the good old Explorer has encountered a problem 
and must close down kicked in and my scan was no more! So I tried the Safe Mode with 
networking support but its not on my list of start up options and a quick search 
of the net suggests that windows 98 doesn't have that option.

Any other suggestions? 
Is it possible to go online in safe mode?

[Reply or follow-up to this message]

You're welcome. There's no sign of the bube virus in the log. The infections listed 
are "Desktop Search" hijacker and "ISTBar foistware".  

Under the circumstances, it might be best to 'generate a StartupList log" and post 
that log, also at the same time. To do that, run HijackThis and click "Open the Misc 
Tools section". Where it says Generate StartupList log, first choose "List also minor 
sections (Full)". Then click Generate StartupList log. Once the scan is finished, 
the log will automatically open in Notepad, etc.  

I wouldn't get to carried away with registry mechanic, though. It's often necessary 
to repair Internet Explorer once you've got things cleaned up. First, let me know 
how the scan goes, etc and post a new log. Forget about Kapersky, I don't know what 
the deal is. You've about got things cleaned up now.

As for Windows updates, you should wait until the malware is cleaned up. However, 
not every update available applies in all circumstances. You should never install 
every update that's available. WMP 9, for one, which doesn't get along well on 9x 
systems. Don't install 'drivers' from Windows update site. 

The most important updates are the IE Security updates. Usually, installing the latest 
"cumulative" patch is sufficient. You should read the descriptions first. The best 
way to install those, is to download them. Then install offline, after closing all 
running programs and open windows. Install one at a time, rebooting in between.


Dealing with Unwanted Spyware and Parasites

Cheers Carol, I'll get that other HJT scan on tonight. Glad to hear theres no sign of the bube. BTW I DL'd and installed firefox last night. When I get this problem sorted is it advisable to remove IE from the computer or should I just use firefox where I can and keep IE in case it is requried? I noticed that the scan you suggested wouldn't run in Firefox, something about 'netscape' and requiring 'IE 4.0' hence I had to run it in IE. Anyways, I'll get that scan run and log posted here for your perusal. Thanks again, you really are a great help in this matter.

[Reply or follow-up to this message]

You'll still need to use IE on ocassion, but you can use FireFox as your main browser. Since IE is tightly integrated into Windows, it can't be completely removed without a third party program. There's no uninstaller for it.

Carol,

Heres my startup log from HJT. Look forward to hearing from you with any further 
advice as I'm really strugglin now, having trouble even gettin through startup! Computer 
just keeps freezing on startup, took me about 7/8 goes to get on tonight, losing 
the will to hit the power button at times lol!!

As per my earlier post, do you know if I can get online in safe mose with win98 as 
this seems the only way I will be able to run the virus scan you suggested?
--------------------------------------------------------------------

StartupList report, 20/05/05, 18:56:17
StartupList version: 1.52.2
Started from : C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ATIGART = c:\ati\gart\atigart.exe
EnsoniqMixer = starter.exe
Internet Registration = c:\program files\internet explorer\connection wizard\netcheck.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
LoadQM = loadqm.exe
ScanRegistry = c:\windows\scanregw.exe /autorun
THGuard = "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
Desktop Search = C:\WINDOWS\isrvs\desktop.exe
ffis = C:\WINDOWS\isrvs\ffisearch.exe
IST Service = \ISTsvc\istsvc.exe
KAVPersonal50 = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" 
/minimize
RegistryMechanic = C:\Program Files\Registry Mechanic\RegMech.exe /QS

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
kavsvc = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
MsnMsgr = "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ICC2000 = C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[MmoptPreferredAudioDevices] *
StubPath = rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_0546&PID_3155&MI_02\2USB&VID_0546&PID_3155&INST_0

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=C:\WINDOWS\PTSNOOP.EXE
run=

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 18/5/2005, 23:11:38)

[rename]
C:\WINDOWS\SYSTEM\IoSubSys\SmartVSD.VxD=C:\WINDOWS\SYSTEM\SmartVSD.VxD

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

CALL C:\WINDOWS\RECOVERY\CHECK.BAT
LH C:\WINDOWS\COMMAND\MOUSE
LH keyb uk,,c:\windows\COMMAND\keyboard.sys
SET BLASTER=A220 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS
C:\PROGRA~1\CREATIVE\CTSND\DOSDRV\APINIT.COM

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE NOEMS  
DOS=HIGH,UMB
DEVICEHIGH=C:\WINDOWS\COMMAND\VIDE-CDD.SYS /D:CD-ROM
COUNTRY=044,850,C:\WINDOWS\COMMAND\COUNTRY.SYS

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\PROGRA~1\CREATIVE\CTSND\DOSDRV\APINIT
LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:CD-ROM  /M:10
echo.
cls

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

IE Update Class - C:\WINDOWS\isrvs\sysupd.dll (file missing) - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
609BFCEA6E7C5235.job
EBF8AC596E9B9DCA.job
A57C84616E7D204E.job
4A156C176E7DA174.job
7ED0CF226E7C409F.job
2ED9F1CF6E7CD83C.job
4C0D7046918B160D.job

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 10\DOWNLOAD.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38485.4072916667

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\WEBSCAN.DLL
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,704 bytes
Report generated in 0.310 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

[Reply or follow-up to this message]

Ian, I can't help you here, because this discussion/thread belongs to someone else. 
This will only cause confusion and isn't fair to the originator of this thread. 

You need to start your own thread by choosing to post a 'new' message, then describe 
your problem. Each case is different. My instructions are to the original poster 
in this thread, weeian.


Dealing with Unwanted Spyware and Parasites

Carol,

??? Youve lost me?? I am weeian, I dont know why some posts show weeian and some 
show ian ingram but they are one in the same. Wee Ian, 5'6'' tall, Wee Ian, you gettin 
me lol. Hopefully you can continue to help me now on this thread. I did start it 
honestly!!

Managed to run that CA scan. Here is the result, looks scary enough to me but then 
I don’t know much about it!

I clicked ‘Cure Files’ after the scen and all the ‘infected’s changed to ‘cannot 
cure’

Whats next? Am I gonna have to buy some sort of virus removal program or are they 
free? Or is it a case of manual removal of files? 

Excuse my ignorance! 


dload.exe.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	su1111fka.exe.tcf	Win32.SillyDl.ES	infected	C:\WINDOWS\SYSTEM\
 	private-zone.exe.tcf	Win32.SillyDl	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE7773.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE1877.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE69.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE3286.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE2639.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE160.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE3496.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	SU1111~1.TCF	Win32.SillyDl.ES	infected	C:\WINDOWS\SYSTEM\
 	PRIVAT~1.TCF	Win32.SillyDl	infected	C:\WINDOWS\SYSTEM\
 	msxmidi.exe	Win32.Bube.H	infected	C:\WINDOWS\
 	targetsaver.exe	Win32.SillyDl.LC	infected	C:\WINDOWS\
 	GLF9084GLF9084.EXE	Win32.SillyDl.LC	infected	C:\WINDOWS\
 	tsinstall_4_0_3_8_b17.exe	Win32.SillyDl.LC	infected	C:\WINDOWS\
 	sidefind.exe.tcf	Win32.SillyDl.KL	infected	C:\WINDOWS\
 	ukqql.exe.tcf	Win32.SillyDl.LC	infected	C:\Program Files\Common Files\ukqq\
 	127062.exe.tcf	Win32.Tibser.G	infected	C:\Program Files\WebSiteViewer\
 	delete.bat	BAT.Deltree	infected	C:\image\tools\
 	web.exe	Win32.Bube.H	infected	C:\
 	127062.exe.tcf	Win32.Tibser.G	infected	C:\
 	127062.EXE4287.tcf	Win32.Tibser.G	infected	C:\
 	127062.EXE292.tcf	Win32.Tibser.G	infected	C:\

[Reply or follow-up to this message]

"Youve lost me?? I am weeian...."

Whatcha mean "I" lost you, you lost me. Two different names, so you must have another 
account, with a dffierent email address? It's always  best to stay with the same 
user name in one thread, if you can. Anyhow....

According to your StartupList log, everything I'd instructed you to fix in HJT is 
still there. Did you follow my previous instructions to fix those entries, delete 
files, etc.? 



Dealing with Unwanted Spyware and Parasites

weeian, I need to hear it directly from you, under the same user name. Are you also 
posting under the name "ian ingram", and is this your post?

http://www.annoyances.org/exec/forum/win98/1116576864

"I am weeian, I dont know why some posts show weeian and some 
show ian ingram but they are one in the same."

Anyone could have posted those messages, claiming to be you. It doesn't sound like 
you, but I don't want to assume.



Dealing with Unwanted Spyware and Parasites

Right Carol, I seem to have made a bit of a mess of this thread, sorry, I didn;t 
know there were rules about posting to the thread starter etc etc. So I thin I'm 
in now as weeian again lol. Yes the link above is mine.

Re the deleted files, yes I did delete them but I'm guessing that I have gones back 
to another registry where they weren't deleted?? Possible???

Anyways, I'll get those files deleted again now and then run the CA scan. 

Sorry bout the confusion. lol, new to this site!

[Reply or follow-up to this message]

Carol,

I have deleted the files you advised from HJT and ran the CA scan again and the result 
was exactly the same as the scan last night, 24 viruses found.

Do you have any idea how I am going to get rid of these beasties?



dload.exe.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	su1111fka.exe.tcf	Win32.SillyDl.ES	infected	C:\WINDOWS\SYSTEM\
 	private-zone.exe.tcf	Win32.SillyDl	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE7773.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE1877.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE69.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE3286.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE2639.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE160.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	DLOAD.EXE3496.tcf	Win32.Tibser.P	infected	C:\WINDOWS\SYSTEM\
 	SU1111~1.TCF	Win32.SillyDl.ES	infected	C:\WINDOWS\SYSTEM\
 	PRIVAT~1.TCF	Win32.SillyDl	infected	C:\WINDOWS\SYSTEM\
 	msxmidi.exe	Win32.Bube.H	infected	C:\WINDOWS\
 	targetsaver.exe	Win32.SillyDl.LC	infected	C:\WINDOWS\
 	GLF9084GLF9084.EXE	Win32.SillyDl.LC	infected	C:\WINDOWS\
 	tsinstall_4_0_3_8_b17.exe	Win32.SillyDl.LC	infected	C:\WINDOWS\
 	sidefind.exe.tcf	Win32.SillyDl.KL	infected	C:\WINDOWS\
 	ukqql.exe.tcf	Win32.SillyDl.LC	infected	C:\Program Files\Common Files\ukqq\
 	127062.exe.tcf	Win32.Tibser.G	infected	C:\Program Files\WebSiteViewer\
 	delete.bat	BAT.Deltree	infected	C:\image\tools\
 	web.exe	Win32.Bube.H	infected	C:\
 	127062.exe.tcf	Win32.Tibser.G	infected	C:\
 	127062.EXE4287.tcf	Win32.Tibser.G	infected	C:\
 	127062.EXE292.tcf	Win32.Tibser.G	infected	C:\

[Reply or follow-up to this message]

Don't worry about the name confusion, but I just had to know for sure. You didn't 
break any rules, and why would you think anything of it. It seemed unlikely it was 
anyone else considering, but we often have problems with posters hijacking someone 
else threads, and it's really annoying. 

These downloader trojans are very difficult to deal with, as they continue to download 
and install more malware, each time you log on to the net. The file names are random. 
As you can see, the infected files listed are in various locations. While you can 
try tracking each one down and deleting them, it's not that simple to clear it all 
up. As you've found out, your system just gets reinfected.

Here's a description of one of those trojans:

"Win32.SillyDl is a family of trojans that act as downloaders."

http://secunia.com/virus_information/10588/win32.sillydl/

I'm not experienced enough to deal with some of these advanced malwares. Removal 
procedures can be quite complex. I suggest you get "expert" help on a malware support 
forum. 

This is a newer forum and won't be nearly as busy as some of the others. The wait 
won't be as long, because many of the forums are swamped with serious malware problems. 
Post a message noting your problem, and what cleaning you've done so far.

http://forum.malwareremoval.com/

Hang in there, and good luck, wee Ian. :-)

P.S. a few other popular forums, but they're likely quite busy:

CastleCops forums

Spyware Warrior forum

cexx.org discussion boards

Dealing with Unwanted Spyware and Parasites

Carol, Thanks for all your help so far on this. On Saturday night I lost the plot and ran a re-load disk in the computer thereby of course scrubbing it back to the way it was when it came out of the box. I have lost all the music I had stored on media player and some photos of my kids that I had stored, which is quite upsetting, but I am hoping that I have removed the viruses from the machine. All is in perfect working order now, with uninterrupted startup every time. I have downloaded Firefox again to use as my main browser. I assume that this action will have removed the viruses? Can you give me any advice on how to keep them out now? Should I start another thread on that topic?

[Reply or follow-up to this message]

i have an illegal operation when i start windows it doesnt let me load my desktop items it saids illegal operation and when i click the X or close button my computer shutsdown. what should i do even in safemode it loads but it still saids illegal operation and i cant enter curtin things like the internet and some other programs. thats why im at my girlfriends writing this message so you can help me correct the problem.

[Reply or follow-up to this message]

Please start a new thread describing your problem. You're more likely to get help that way, rather than posting in an older thread.

Dear Carol, I was without my computer since June due to illegal operation message and no start up menu not even in Safe Mode. I tried everything, but was reluctant to use the restore pack as I did not want to lose all my data as I had no backup. However, I was absolutely amazed when on following your advice re Command Prompt, my computer was fully restored to normal again within 2 minutes. You're certainly very knowledgeable and know what you're talking about regarding computers. Many many thanks. I was dreading what a repair man was going to charge me but could see no other option until I read this article of yours. The bonus being I have all my original data intact. Thank you again. Pascale.


On Friday, May 13, 2005 at 9:51 pm, Carol J wrote:
>
>If you can't do anything, you sure can't run a scan. Initially, Kapersky was the
>only AV that could remove Bube, but that may have changed. Can you boot into safe
>mode? Startup programs don't load in Safe. Those illegal operation messages are related
>to your startup applications, the way it looks.
>
>I would try restoring a registry backup, first, since that's easiest, quickest thing
>to try. That's assuming this happened in the last few days. Windows only creates
>5 registry backups by default. Reboot and hold the CTRL key down, until you get the
>boot menu.
>
>Choose Command prompt only. At the C:\> type: scanreg /restore Press enter.
>Choose a date prior to this problem. A good backup will have the word "Started" before
>it. Then hit Enter. You should get a message that Windows successfully restored the
>registry. Then CTRL_ALT_DEL and see if you get back into Windows. Let us know how
>things go.
>
>P.S. If that doesn't do it, you should be able to choose 'Safe mode with networking
>support' (or similar) from the boot menu. Then go online to run a virus scan. >href="http://www3.ca.com/securityadvisor/virusinfo/scan.aspx">
>CA eTrust 'Scan for Virus'
>
>

You're very welcome. I'm glad it was of help to you, and thanks so much for letting 
me know!

Restoring a registry backup can bail us out of a number of problems, but not always. 
It's too bad you didn't post for help on the forums before. 

Next time you have trouble, just stop in and post a new message and hopefully someone 
will be able to help. 


Dealing with Unwanted Spyware and Parasites

Just to echo what was posted in August, I 
found this "thread" through a google search.  I had the Ptsnoop exe on my system 
and my registry files had become corrupted over the weekend.

Great "tip" on how to restore the registry files, once I did that I was back up and 
running.

I have since followed your links to the mvps.org and have done extensive layering 
of the various anti-spyware solutions (i.e. host file, spyware tool, etc..) to all 
of my home machines.

Again, just wanted to drop a heart-felt thank-you to Carol for all of her help to 
the greater community..

Peace......Rob







On Thursday, August 25, 2005 at 6:53 pm, Carol J wrote: 

>

>You're very welcome. I'm glad it was of help to you, and thanks so much for letting 

>me know!

>

>Restoring a registry backup can bail us out of a number of problems, but not always. 

>It's too bad you didn't post for help on the forums before. 

>

>Next time you have trouble, just stop in and post a new message and hopefully someone 

>will be able to help. 
>alt="Image hosted by Photobucket.com">

>

>


>
>color="003399">Dealing with Unwanted Spyware and Parasites 

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum